Fault-tolerant clock synchronisation

ABSTRACT

A clock synchronization method is described for a system including N clocks, at least three and at most N−1 of which are master candidate clocks. A start message is broadcast from the fastest master candidate clock. From each of the master candidate clocks, a response message including the local time of receipt of the start message according to the clock in question is broadcast. Using the information representing the times of receipt of the start message, the median master candidate clock is selected and becomes the master clock. The master clock determines the clock synchronisation error for each master candidate clock, using the information representing the times of receipt of the start message. If any such clock synchronisation error is excessive the master clock declassifies the clock in question as a master candidate clock and classifies another clock as a master candidate clock. This is achieved by broadcasting a classification message identifying which of the N clocks are to be classified as master candidate clocks. Next, the master clock broadcasts a synchronisation message including the local time of receipt of the classification message according to the master clock. Each of the other N−1 clocks is then synchronised with the master clock using that information and the local time of receipt of the classification message according to the clock in question.

BACKGROUND TO THE INVENTION

This invention relates to fault-tolerant clock synchronisation indistributed real-time systems.

Distributed real-time systems consist of a set of nodes that communicatewith one another by means of message passing. Each node contains a localreal-time clock and since physical clocks do not keep perfect time, butcan drift with respect to one another, the clocks must periodically beresynchronised to a common time reference. Such clock synchronisation iscrucial to enable all nodes to agree on the time and is of particularimportance in systems that schedule specific activities with referenceto time. In the following discussion, the term “clock” will be used todescribe not only the physical, real-time clock associated with a node,but also any device connected to a node that incorporates such aphysical, real-time clock.

One sphere of application in which the importance of temporal agreementbetween nodes is paramount is the sphere of safety-criticalapplications. Safety-critical applications are applications in whichfaults that develop have the potential to result in death or seriousphysical injury. Examples are fly-by-wire or drive-by-wire systems asare used in the avionics and automotive industries, nuclear power plantcontrol and medical robotics. Many of these systems make use of acontroller area network or CAN bus.

Over the last two decades, a number of clock synchronisation methodshave been proposed: Anceaume, E. & Puaut, I., “Performance evaluation ofclock synchronization algorithms”, Tech. Report N3526, Unite derecherche INRIA Rennes, IRISA, Campus Universitaire de Beaulieu, 35042Rennes Cedex, France, 1998; Shin, K. G. & Butler, R. W., “Fault-TolerantClock Synchronization in Distributed Systems”, IEEE Computer, pp. 33-42,October 1990. However, many of the published methods are too complicatedto use for embedded real-time systems. For embedded systems, amaster-slave architecture is widely used due to its simplicity:Gergeleit, M. & Streich, H., “Implementing a distributed high-resolutionreal-time clock using the CAN bus”, Proc. CIA 1st International CANConference (ICC), 1994, With a master-slave architecture, one node inthe system is designated as the master clock, which generates thereference time. The other clocks, designated as the slaves, areperiodically synchronised to the master clock time. Not only does themaster-slave approach introduce only a small amount of traffic onto thebus, but also it is flexible for future modification. However, themaster-slave approach has the significant drawback that a single faultin the master clock can lead to loss of synchronisation.

SUMMARY OF THE INVENTION

One objective of embodiments of the present invention is to provide amaster-slave based clock synchronisation method that can tolerate faultsin the master clock. This is achieved by classifying some, but not all,of the clocks in the system as master candidate clocks for the timebeing. This group of clocks will be referred to as the master candidatesgroup or MCG. The master clock is selected from the MCG. Any mastercandidate clock that is found to be faulty and therefore possesses anexcessive clock synchronisation error, is removed from the MCG and itsplace taken by another clock.

Accordingly, embodiments of the present invention provide a clocksynchronization method for a system including N clocks, comprising:

-   -   classifying at least three and at most N−1 of those clocks as        master candidate clocks;    -   selecting one of the master candidate clocks and classifying it        as a master clock;    -   synchronising each of the N clocks other than the master clock        with the master clock; and    -   for each master candidate clock, determining whether its clock        synchronisation error is excessive and, in response to an        affirmative determination, declassifying that clock as a master        candidate clock and classifying as a master candidate clock        another of the N clocks that is not already classified as a        master candidate clock.

If a fault develops in one of the master candidate clocks, which issufficiently serious that the clock synchronisation error of the mastercandidate clock is excessive, then the clock will be removed from theMCG. Having been removed from the MCG, the clock is no longer availableto be selected as the master clock. It will operate as a slave clock orbe disabled or disregarded altogether.

The process of selecting a master clock from the MCG is an additionalimportant consideration. For example, it may not be wise to chooseeither the fastest or the slowest master candidate clock as the masterclock. If that were allowed, then a clock that develops a fault just asthe master clock selection process is taking place, and therefore runsfast or slow, may be selected as the master clock for the subsequentclock synchronization operation. Alternatively, there may be situationsin which it is preferable to select the fastest or slowest clock. Ineach case, information must be gathered on the relative clock rates ofthe various clocks in the MCG.

Accordingly, it is preferred that the process of selecting one of themaster candidate clocks should comprise:

-   -   from one of the master candidate clocks, broadcasting a master        selection initiation message;    -   from each of the other master candidate clocks, broadcasting a        master selection response message including information        representing the local time of receipt of the master selection        initiation message according to the clock in question; and    -   selecting one of the master candidate clocks using the        information representing the local times of receipt of the        master selection initiation message.

It will be understood that for each master candidate clock, the localtime of receipt of the master selection initiation message will bedetermined by two factors, namely propagation delay, which can safely beassumed to be negligible, and the clock rate of the local clock.

For convenience, the master selection initiation message will bebroadcast from the fastest master candidate clock. This means that eachmaster candidate clock can be adapted to broadcast the master selectioninitiation message at a given local time unless such a message hasalready been broadcast by another master candidate clock. Thus, all themaster candidate clocks operate identically and the master selectioninitiation message will in the normal course of events be broadcast bywhichever of the clocks is running fastest. In some cases, as explainedabove, it may not be wise to choose the fastest master candidate clockas the master clock. Thus, the system can be designed to discountwhichever of the master candidate clocks broadcast the master selectioninitiation message.

On the other hand, it is convenient to determine the clocksynchronisation error for each master candidate clock using theinformation representing the local times of receipt of the masterselection initiation message. In these circumstances, the local time ofreceipt of the master selection initiation message for all the mastercandidate clocks ought to be known. It cannot be assumed that the localtime of receipt of the master selection initiation message according tothe broadcasting clock will be calculable from the time of broadcast,since even though propagation delays may be negligible, there maynonetheless be unpredictable pre-transmission delays, associated forexample with bus or channel arbitration and seizure.

In these circumstances, it is preferred that the process of selectingone of the master candidate clocks should comprise:

-   -   from one of the master candidate clocks, broadcasting a master        selection initiation message;    -   from each of the master candidate clocks, broadcasting a master        selection response message including information representing        the local time of receipt of the master selection initiation        message according to the clock in question; and    -   selecting one of the master candidate clocks using the        information representing the local times of receipt of the        master selection initiation message.

In the light of the above discussion, it is another objective of thepresent invention to provide a master-slave based clock synchronisationmethod with improved real-time clock uniformity. This is achieved byselecting a master clock from an MCG according to clock ratecharacteristics.

Accordingly, embodiments of the present invention provide a clocksynchronization method for a system including N clocks, comprising:

-   -   classifying at least three and at most N−1 of those clocks as        master candidate clocks;    -   from one of the master candidate clocks, broadcasting a master        selection initiation message;    -   from each of the other master candidate clocks, broadcasting a        master selection response message including information        representing the local time of receipt of the master selection        initiation message according to the clock in question;    -   selecting one of the master candidate clocks using the        information representing the local times of receipt of the        master selection initiation message and classifying it as a        master clock; and    -   synchronising each of the N clocks other than the master clock        with the master clock.

To the same end, and as discussed above, embodiments of the presentinvention also provide a clock synchronization method for a systemincluding N clocks, comprising:

-   -   classifying at least three and at most N−1 of those clocks as        master candidate clocks;    -   from one of the master candidate clocks, broadcasting a master        selection initiation message;    -   from each of the master candidate clocks, broadcasting a master        selection response message including information representing        the local time of receipt of the master selection initiation        message according to the clock in question;    -   selecting one of the master candidate clocks using the        information representing the local times of receipt of the        master selection initiation message and classifying it as a        master clock; and    -   synchronising each of the N clocks other than the master clock        with the master clock.

In the case where the fastest or slowest of the master candidate clocksshould not be selected as the master clock, it is preferred that theprocess of selecting one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message comprises selecting the median mastercandidate clock. In most systems this can be shown to maximise real-timeclock uniformity.

Once a master candidate clock has been removed from the MCG owing toexcessive clock synchronisation error, it makes sense to classify it asout of use, at least until it is repaired. Therefore, the methodpreferably comprises, in response to the affirmative determination,classifying as a faulty clock the clock that is declassified as a mastercandidate clock and classifying as a master candidate clock another ofthe N clocks that is not already classified as a master candidate clockor a faulty clock.

For convenience, the question whether the clock synchronisation errorfor each master candidate clock is excessive may be determined by themaster clock. In such a case, following determination of that question,the master clock may broadcast a classification message identifyingwhich of the N clocks are to be classified as master candidate clocks.

Again for convenience, synchronising each of the N clocks other than themaster clock with the master clock may comprise:

-   -   from the master clock, broadcasting a synchronisation message        including synchronisation information; and    -   synchronising each of the N clocks other than the master clock        with the master clock using the synchronisation information.

If the master clock broadcasts both a classification message and asynchronisation message, the existence of the two messages may be usedto advantage. In that case, synchronising each of the N clocks otherthan the master clock with the master clock may comprise:

-   -   from the master clock, broadcasting a synchronisation message        including synchronisation information representing the local        time of receipt of the classification message according to the        master clock; and    -   synchronising each of the N clocks other than the master clock        with the master clock using the synchronisation information and        the local time of receipt of the classification message        according to the clock in question.

The system may further include M slave clocks, and the method mayfurther comprise synchronising each of the M slave clocks with themaster clock. For convenience, the synchronising of each of the M slaveclocks and the synchronising of each of the N clocks other than themaster clock may be accomplished in common.

Another objective of embodiments of the present invention is to providea clock that is capable of use in a master-slave based clocksynchronisation method that can tolerate faults in the master clock.This is achieved by a clock that is classifiable as a master candidateclock, thus belonging to an MCG, or a master clock for the time being.When N such clocks are incorporated into a system, the system operatesto remove any faulty clock from the MCG and replace it with another.

Accordingly, embodiments of the present invention provide a clock foruse in a system including N clocks, of which one is classified as amaster clock and at least three and at most N−1, including the masterclock, are classified as master candidate clocks, the clock comprisingcontrol means adapted to operate as follows:

-   -   to record whether the clock is classified as a master clock or a        master candidate clock;    -   if the clock is classified as a master clock, to determine, for        each master candidate clock, whether its clock synchronisation        error is excessive and, in response to an affirmative        determination, to broadcast a classification message        declassifying that clock as a master candidate clock and        classifying as a master candidate clock another of the N clocks        that is not already classified as a master candidate clock; and    -   if the clock is not classified as a master clock, to receive        such a classification message broadcast from a master clock and,        if that message classifies or declassifies it as a master        candidate clock, to record that fact.

A further object of embodiments of the invention is to provide thecontrolling software for a clock that is capable of use in amaster-slave based clock synchronisation method that can tolerate faultsin the master clock. Accordingly, embodiments of the present inventionprovide a software product for a clock comprised in a system including Nclocks, of which one is classified as a master clock and at least threeand at most N−1, including the master clock, are classified as mastercandidate clocks, the software product comprising software code adaptedto cause the clock to operate as follows:

-   -   to record whether the clock is classified as a master clock or a        master candidate clock;    -   if the clock is classified as a master clock, to determine, for        each master candidate clock, whether its clock synchronisation        error is excessive and, in response to an affirmative        determination, to broadcast a classification message        declassifying that clock as a master candidate clock and        classifying as a master candidate clock another of the N clocks        that is not already classified as a master candidate clock; and    -   if the clock is not classified as a master clock, to receive        such a classification message broadcast from a master clock and,        if that message classifies or declassifies it as a master        candidate clock, to record that fact.

For convenience, clock synchronisation is achieved by the control meansbeing further adapted to operate as follows, or the software cod beingfurther adapted to cause the clock to operate as follows:

-   -   if the clock is classified as a master clock, to broadcast a        synchronisation message including synchronisation information;        and    -   if the clock is not classified as a master clock, to receive        such a synchronisation message broadcast from a master clock and        to synchronise itself with the master clock using the        synchronisation information.

The process of selecting a master clock is an additional importantconsideration, as described above. Accordingly, the control means may befurther adapted to operate as follows, or the software code may befurther adapted to cause the clock to operate as follows:

-   -   if the clock is classified as a master candidate clock, to        broadcast a master selection initiation message at a given local        time unless such a master selection initiation message has        already been broadcast by another master candidate clock;    -   if the clock is classified as a master candidate clock and such        a master selection initiation message is broadcast by another        master candidate clock before the given local time, to receive        the master selection initiation message and to broadcast a        master selection response message including information        representing the local time of receipt of the master selection        initiation message;    -   if the clock is classified as a master candidate clock, to        select one of the master candidate clocks using the information        representing the local times of receipt of the master selection        initiation message and, if in so doing it selects itself, to        record the fact that it is classified as a master clock.

Alternatively, in cases where the local time of receipt of the masterselection initiation message for all the master candidate clocks out tobe known, the control means may be further adapted to operate asfollows, or the software code being further adapted to cause the clockto operate as follows:

-   -   if the clock is classified as a master candidate clock, to        broadcast a master selection initiation message at a given local        time unless such a master selection initiation message has        already been broadcast by another master candidate clock;    -   if the clock is classified as a master candidate clock and such        a master selection initiation message has been broadcast, to        broadcast a master selection response message including        information representing the local time of receipt of the master        selection initiation message;    -   if the clock is classified as a master candidate clock, to        select one of the master candidate clocks using the information        representing the local times of receipt of the master selection        initiation message and, if in so doing it selects itself, to        record the fact that it is classified as a master clock.

In the light of the above discussion, it is another objective ofembodiments of the present invention to provide a clock that is capableof use in a master-slave based clock synchronisation method withimproved real-time clock uniformity. This is achieved by a clock that isclassifiable as a master candidate clock, thus belonging to an MCG, or amaster clock for the time being, When N such clocks are incorporatedinto a system, the system operates to select a master clock from the MCGaccording to clock rate characteristics.

Accordingly, embodiments of the present invention provide a clock foruse in a system including N clocks, of which one is classified as amaster clock and at least three and at most N−1, including the masterclock, are classified as master candidate clocks, the clock comprisingcontrol means adapted to operate as follows:

-   -   to record whether the clock is classified as a master clock or a        master candidate clock;    -   if the clock is classified as a master candidate clock, to        broadcast a master selection initiation message at a given local        time unless such a master selection initiation message has        already been broadcast by another master candidate clock;    -   if the clock is classified as a master candidate clock and such        a master selection initiation message is broadcast by another        master candidate clock before the given local time, to receive        the master selection initiation message and to broadcast a        master selection response message including information        representing the local time of receipt of the master selection        initiation message;    -   if the clock is classified as a master candidate clock, to        select one of the master candidate clocks using the information        representing the local times of receipt of the master selection        initiation message and, if in so doing it selects itself, to        record the fact that it is classified as a master clock;    -   if the clock is classified as a master clock, to broadcast a        synchronisation message including synchronisation information;        and    -   if the clock is not classified as a master clock, to receive        such a synchronisation message broadcast from a master clock and        to synchronise itself with the master clock using the        synchronisation information.

To the same end, embodiments of the present invention also provide aclock for use in a system including N clocks, of which one is classifiedas a master clock and at least three and at most N−1, including themaster clock, are classified as master candidate clocks, the clockcomprising control means adapted to operate as follows:

-   -   to record whether the clock is classified as a master clock or a        master candidate clock;    -   if the clock is classified as a master candidate clock, to        broadcast a master selection initiation message at a given local        time unless such a master selection initiation message has        already been broadcast by another master candidate clock;    -   if the clock is classified as a master candidate clock and such        a master selection initiation message has been broadcast, to        broadcast a master selection response message        including-information representing the local time of receipt of        the master selection initiation message;    -   if the clock is classified as a master candidate clock, to        select one of the master candidate clocks using the information        representing the local times of receipt of the master selection        initiation message and, if in so doing it selects itself, to        record the fact that it is classified as a master clock;    -   if the clock is classified as a master clock, to broadcast a        synchronisation message including synchronisation information;        and    -   if the clock is not classified as a master clock, to receive        such a synchronisation message broadcast from a master clock and        to synchronise itself with the master clock using the        synchronisation information.

A further object of embodiments of the invention is to provide thecontrolling software for a clock that is capable of use in amaster-slave based clock synchronisation method with improved real-timeclock uniformity. Accordingly, embodiments of the present inventionprovide a software product for a clock comprised in a system including Nclocks, of which one is classified as a master clock and at least threeand at most N−1, including the master clock, are classified as mastercandidate clocks, the software product comprising software code adaptedto cause the clock to operate as follows:

-   -   to record whether the clock is classified as a master clock or a        master candidate clock;    -   if the clock is classified as a master candidate clock, to        broadcast a master selection initiation message at a given local        time unless such a master selection initiation message has        already been broadcast by another master candidate clock;    -   if the clock is classified as a master candidate clock and such        a master selection initiation message is broadcast by another        master candidate clock before the given local time, to receive        the master selection initiation message and to broadcast a        master selection response message including information        representing the local time of receipt of the master selection        initiation message;    -   if the clock is classified as a master candidate clock, to        select one of the master candidate clocks using the information        representing the local times of receipt of the master selection        initiation message and, if in so doing it selects itself, to        record the fact that it is classified as a master clock;    -   if the clock is classified as a master clock, to broadcast a        synchronisation message including synchronisation information;        and    -   if the clock is not classified as a master clock, to receive        such a synchronisation message broadcast from a master clock and        to synchronise itself with the master clock using the        synchronisation information.

To the same end, embodiments of the present invention provide a softwareproduct for a clock comprised in a system including N clocks, of whichone is classified as a master clock and at least three and at most N−1,including the master clock, are classified as master candidate clocks,the software product comprising software code adapted to cause the clockto operate as follows:

-   -   to record whether the clock is classified as a master clock or a        master candidate clock;    -   if the clock is classified as a master candidate clock, to        broadcast a master selection initiation message at a given local        time unless such a master selection initiation message has        already been broadcast by another master candidate clock;    -   if the clock is classified as a master candidate clock and such        a master selection initiation message has been broadcast, to        broadcast a master selection response message including        information representing the local time of receipt of the master        selection initiation message;    -   if the clock is classified as a master candidate clock, to        select one of the master candidate clocks using the information        representing the local times of receipt of the master selection        initiation message and, if in so doing it selects itself, to        record the fact that it is classified as a master clock;    -   if the clock is classified as a master clock, to broadcast a        synchronisation message including synchronisation information;        and    -   if the clock is not classified as a master clock, to receive        such a synchronisation message broadcast from a master clock and        to synchronise itself with the master clock using the        synchronisation information.

As discussed above, the clock synchronisation error may be determinedfor each master candidate clock using the information representing thelocal times of receipt of the master selection initiation message and itis preferred that the control means be adapted to operate so, or thesoftware code be adapted to cause the clock to operate so. The controlmeans may be adapted to select the median master candidate clock, or thesoftware code may be adapted to cause it to do so.

Once a master candidate clock has been removed from the MCG owing toexcessive clock synchronisation error, it makes sense to classify it asout of use, at least until it is repaired. Therefore, it is preferredthat the control means be further adapted to operate as follows, or thesoftware code be adapted to cause the clock to operate as follows:

-   -   to record whether the clock is classified as a faulty clock;    -   if the clock is classified as a master clock, in response to an        affirmative determination of the question whether the clock        synchronisation error of a master candidate clock is excessive,        to broadcast a classification message classifying that clock as        a faulty clock and classifying as a master candidate clock        another of the N clocks that is not already classified as a        master candidate clock or a faulty clock; and    -   if the clock is not classified as a master clock and such a        classification message broadcast from a master clock classifies        it as a faulty clock, to record that fact.

For convenience, the control means may be adapted to operate as follows,or the software code may be adapted to cause the clock to operate asfollows:

-   -   if the clock is classified as a master clock, following the        determination of the question whether the clock synchronisation        error of each master candidate clock is excessive, to broadcast        a classification message identifying which of the N clocks are        to be classified as master candidate clocks.

As discussed above, such a classification message may be used toadvantage in the synchronisation process. To this end, it is preferredthat the control means be further adapted to operate as follows, or thatthe software code be further adapted to cause the clock to operate asfollows:

-   -   if the clock is classified as a master clock, to broadcast a        synchronisation message including synchronisation information        representing the local time of receipt of the classification        message according to the master clock; and    -   if the clock is not classified as a master clock, to receive        such a synchronisation message broadcast from a master clock and        to synchronise itself with the master clock using the        synchronisation information and the local time of receipt of the        classification message according to the clock in question.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the present invention will now be described by way ofexample with reference to the accompanying drawings in which:

FIGS. 1 a and 1 b are representations of the clock clustering scheme;

FIG. 2 is a time chart of the clock synchronisation method; and

FIG. 3 is a state diagram of the clock synchronisation process.

DETAILED DESCRIPTION OF AN EMBODIMENT OF THE INVENTION

The embodiments of the present invention that will now be describedprovide a reliable clock synchronisation method for distributedreal-time systems using a CAN bus. They make use of a number of featuresof the CAN protocol, which will briefly be described, with the resultthat a highly fault tolerant clock synchronisation system can be put inplace using software alone.

1. Atomic Broadcasting

Atomic broadcasting is a feature of the CAN protocol that enables a nodein the system to broadcast a message to every other node in the system.To prevent messages from more than one node being broadcastsimultaneously, some form of bus arbitration process is used, but oncebus access is granted by the arbitration process, the message isreceived substantially simultaneously by all the other nodes in thesystem. Receipt by the other nodes is is acknowledged.

By “substantially simultaneously” is meant at times that differ from oneanother by substantially less than the temporal granularity of thesystem. For example, a gas turbine may have a temporal granularity of 1ms, meaning that it can be adequately serviced by a 1 kHz bus, but thesize of the device is such that the longest propagation delay betweensystem nodes will be less than 100 ns. That is less than 10% of thetemporal granularity of the gas turbine.

2. Message Identifiers

Each message in the CAN protocol is marked with a message identifier.The message identifier includes at least an indication of the messagepriority. Typically, there are over 2000 priority levels, numbered inreverse order of priority. A message showing priority, “0” is thehighest possible priority message.

3. A Postiori Time Stamping

A postiori time stamping is a technique for allowing synchronisation totake place as messages arrive at their destinations as opposed to whenthey leave their sources. Using a postiori time stamping in conjunctionwith atomic broadcasting allows latency errors to be cancelled out.

Embodiments of the present invention are based on a master-slaveapproach to establish as simple method as possible. They use aclustering technique that classifies all clock nodes in the system intogroups. These groups are a master candidates group (MCG), a master clocksubstitutes group (MCSG) and a slave clock group (SCG). The technique isillustrated schematically in FIGS. 1 a and 1 b and is designed toovercome the traditional problems relating to master clock faults. Theprevailing master clock is periodically selected from the MCG. As willbe explained, by combining this clustering method and a master-slavearchitecture, embodiments of the present invention provide reliable andaccurate reference time synchronisation. Every resynchronisation cycle,a selection mechanism chooses a median clock from the MCG as the masterclock. The selection mechanism also identifies faulty clocks within theMCG. If any faulty clocks have been detected, they are replaced withnon-faulty clocks from the MCSG.

Thus, at each resynchronisation cycle, only clocks in the MCG take partin the selection of a master. In contrast, clocks in the MCSG do nottake part in the selection, and are only for replacing faulty clocks ofthe MCG. The remaining clocks in the system are slaves, which have tosynchronise to the selected master clock, but are not required tobroadcast any messages for clock synchronisation.

FIG. 3 is a state diagram of the master selection and synchronisationprocess utilising the clustering technique described to achievesynchronisation of the clocks in each periodic resynchronisation cycle.The system illustrated in FIG. 3 includes N+M clocks in total. Of these,N clocks are capable of serving as the master clock and, assuming theyare not faulty, are at any one time distributed across the MCG and theMCSG. The remaining M clocks are permanent slave clocks and are alwaysin the SCG. Each of the N potential master clocks is assigned an uniquepriority number, which would typically be hard-wired, but may beachieved during an initialisation process on power-up of the system.Moreover, each of the clocks in the system is hard-wired withinformation identifying the number K of clocks that are to form the MCG.The value of K is at least three and may be as many as N−1. In thepreferred embodiment, K is exactly three. This leaves N−K clocks in theMCSG, assuming none of the clocks is faulty, which means that there isat least one clock and at most N−3 clocks in the MCSG, from which areplacement for a faulty clock in the MCG can be chosen. When the systemis powered up, the K clocks having the highest priorities, e.g. ClocksC₁, C₂, . . . C_(K), organise themselves into the MCG. The remaining N−Kclocks having the lowest priorities, e.g. priorities C_(K+1), C_(K+2), .. . C_(N−1), C_(N), organise themselves into the MCSG. Thisself-organisation takes place by each of the clocks setting theappropriate bits in a local assignment register. With the clocks soorganised, the system enters the state diagram of FIG. 3 at state S1.Note that as yet, no master clock has been selected.

Each of the K clocks in the MCG, i.e. each clock having the MCG bit setin its assignment register, waits for a predetermined period of time,the resynchronisation time, as measured locally. However, because eachof these clocks will be running at a slightly different rate, one ofthem, namely the fastest, will reach the resynchronisation time first.This state is represented by state S2 in FIG. 3. For the sake ofconvenience, it will be assumed that the fastest clock is clock C1,although it need not be. When clock C₁ reaches the resynchronisationtime, it broadcasts a master selection initiation message m_(start) toall the other clocks in the system using the atomic broadcastingfunctionality of the CAN protocol, as illustrated in FIG. 2. The masterselection initiation message m_(start) is broadcast with priority “0”and therefore takes precedence over any other pending messages at thenext bus arbitration round. The master-selection initiation messageinstructs each of the other clocks in the MCG, i.e. each other clockhaving the MCG bit set in its assignment register, to take a snapshot ofthe local time, i.e. the time denoted by that clock, at the time itreceives the master selection initiation message m_(start). Thissnapshot is termed a “timestamp”. Receipt of the master selectioninitiation message m_(start) is acknowledged by means of an acknowledgebit on, the CAN bus. When clock C₁ detects the acknowledge bit, it tootakes a timestamp. Thus, K timestamps are taken at substantially thesame time, each representing a local time T₁, T₂, . . . T_(K).

There then follows a round of timestamp exchanges between the clocks inthe MCG, representing in FIG. 3 by state S3. Each of the K clocks in theMCG, i.e. each clock having the MCG bit set in its assignment register,broadcasts a master selection response message m₁, M₂, . . . m_(K) toall the other clocks in the system using the atomic broadcastingfunctionality of the CAN protocol, as illustrated in FIG. 2. The masterselection response messages m₁, m₂, . . . m_(K) are broadcast withpriority “0” and therefore take precedence over any other pendingmessages at the next bus arbitration round. In this way, each of theclocks in the MCG is informed of the timestamp taken by each of theothers. Since these timestamps were taken at substantially the sametime, each clock in the MCG is able to determine the relative speed ofall the clocks in the MCG. The timestamp representing the latest timewill belong to the fastest clock, which in this case is clock C₁. Thetimestamp representing the earliest time will belong to the fastestclock. The timestamp representing the median time will belong to themedian clock. This median clock is elected as the master clock. It setsthe master clock bit in its assignment register. If there is no singlemedian clock because for example. K is an even number, whichever of thetwo median clocks has the highest priority is chosen. This isrepresented by state S4 in FIG. 3 and by the voting algorithm F_(v) (T₁,T₂, T₃) in FIG. 2. FIG. 2 shows clock C₁ being elected as master.

It is apparent that if the timestamps were used solely for the purposeof determining which clock is to be elected as master, then thetimestamp T₁ taken by the clock C₁ might not be required. Because clockC₁ is known to be the fastest clock, at least at the time when themaster selection initiation message m_(start) is broadcast, it might beexcluded from being elected as the master clock. Similarly, because itlies at the fastest extreme of the clock population, the median clockcan still be determined. A system in which such a simplified process isused is within the scope of embodiments of the present invention, but aswill be explained below, there are significant advantages associatedwith taking the timestamp T₁ in the fastest clock C₁. Clearly, in asystem in which the clocks can drift relative to one another, there isno guarantee that clock C₁ will still be the fastest clock at the timethe master selection initiation message m_(start) is received. In such acase, the timestamp T₁ will be required to be taken by the clock C₁.FIG. 2 shows just such a case, in which one of the other clocks C₂, C₃has caught up with and overtaken clock C₁ during the period betweenbroadcast and receipt of the master selection initiation messagem_(start).

The elected master clock C₁, i.e. the clock that has both the MCG bitand the master clock bit set in its assignment register, then determinesthe clock synchronisation error for each of the other clocks C_(p (p≠1))in the MCG. One way it can do this is simply to subtract the timestampT_(p (p≠1)) from each of those clocks from its own timestamp T₁. If thedifferent is excessive, that is to say outside a predetermined range,which will normally be centred on zero, then the clock in question,T_(p) is considered to be faulty. Even if the clock C₁ were not electedas master, this step can only be performed if all the clocks in the MCG,including clock C₁, have taken and exchanged timestamps. Indeed, it ispossible for each of the clocks in the MCG or each of the clocks in theMCG and each of the clocks in the MCSG to perform this determinationtoo. However, the master clock C₁, i.e. the clock that has both the MCGbit and the master clock bit set in its assignment register, thenbroadcasts a classification message M^(α) to all the other clocks in thesystem using the atomic broadcasting functionality of the CAN protocol,as illustrated in FIG. 2. The classification message M^(α) is broadcastwith priority “0” and therefore takes precedence over any other pendingmessages at the next bus arbitration round. The content of theclassification message M^(α) identifies which of the N clocks will be inthe MCG for the next master election cycle. The master clock simplycompiles a list of those clocks that broadcast a timestamp in responseto the master selection initiation message, removes any that aredetermined to have excessive clock synchronisation errors and replacesthem with an equal number of clocks from the MCSG. For simplicity, thehighest priority clocks from the MCSG are chosen. This is represented bystate S5 a in FIG. 3. The modified list of clocks is broadcast as partof the classification message M^(α), but not acted upon immediately.This state is represented by state S5 of FIG. 3.

The classification message M^(α) also instructs each of the other clocksin the MCG, i.e. each other clock having the MCG bit set in itsassignment register, to take a timestamp at the time it receives theclassification message M^(α). Receipt of the classification messageM^(α) is acknowledged by means of an acknowledge bit on the CAN bus.When clock C₁ detects the acknowledge bit, it too takes a timestamp.Thus, K timestamps are again taken at substantially the same time, eachrepresenting a local time T^(α) ₁, T^(α) ₂, . . . T^(α) _(K), as shownin FIG. 2.

Next, the master clock C₁, i.e. the clock that has both the MCG bit andthe master clock bit set in its assignment register, broadcasts asynchronisation message M^(α) to all the other clocks in the systemusing the atomic broadcasting functionality of the CAN protocol, asillustrated in FIG. 2. The synchronisation message M^(β) is broadcastwith priority “0” and therefore takes precedence over any other pendingmessages at the next bus arbitration round. The classification messageM^(β) contains the timestamp T^(α) ₁ taken by the master clock C₁ at thetime the classification message M^(α) was received. This state isrepresented by state S6 in FIG. 3. Each of the other K−1 clocksC_(p p≠1) in the MCG then calculates its clock synchronisation error bysubtracting its timestamp T^(α) _(p p≠1) from the timestamp T^(α) ₁broadcast by the master clock and corrects itself accordingly. This isrepresented by state S7 in FIG. 3.

Only after this point, are the contents of the classification messageM^(α) acted upon. Any clock that is currently in the MCG, i.e. any clockthat has the MCG bit set in its assignment register, but is notidentified as belonging to the MCG in the classification message M^(α),resets the MCG bit in its assignment register and sets a fault bit. Anyclock that is not currently in the MCG, i.e. any clock that does nothave the MCG bit set in its assignment register, but is identified asbelonging to the MCG in the classification message M^(α), then inspectsthe fault bit in its assignment register. If that bit is clear, itbroadcasts an acceptance message m_(ack) using the atomic broadcastingfunctionality of the CAN protocol, as illustrated in FIG. 2. Theacceptance message m_(ack) is broadcast with priority “0” and thereforetakes precedence over any other pending messages at the next busarbitration round. On the other hand, if the fault bit is set, itbroadcasts a rejection message m_(ack) using the atomic broadcastingfunctionality of the CAN protocol, as illustrated in FIG. 2. Thesynchronisation message m_(ack) is broadcast with priority “0” andtherefore takes precedence over any other pending messages at the nextbus arbitration round. The broadcast of a rejection message causes thenext highest priority clock that is not currently in the MCG to inspectthe fault bit in its assignment register. If that bit is clear, itbroadcasts an acceptance message m_(ack); if it is set, it broadcasts arejection message m_(ack). The process continues until a substitute isfound. This is represented by state S8 in FIG. 3. The substitute setsthe MCG bit in its assignment register, thus reconstituting the MCG.This is represented by state S9 in FIG. 3. The whole process thenreturns to state S1, which is where it began.

There are other ways in which the selection and vetting of substituteclocks can be achieved. Since all traffic on the CAN bus is public, eachclock may keep a record of the clocks already found to be faulty. Thisrecord can be used to prevent the master clock from designating ahigh-priority but faulty clock as a substitute clock in the event ofanother clock fault in the MCG. In such a case, the designatedsubstitute need not inspect its own fault bit, although it might to soas a safety double-check.

Clocks that are not in the MCG may also take a timestamp on receipt ofthe master selection initiation message m_(start). This would allow themto determine their own clock synchronisation errors as compared with theelected master clock and whether those errors are excessive. Thisinformation can be used to accept or reject their designation as asubstitute clock, preventing faulty clocks from being assigned to theMCG in the first place.

The steps described above are performed periodically and each time a newmaster is elected, any previous master resets the master clock bit inits own assignment register.

Embodiments of the present invention enjoys a number of advantages. Themechanism for electing a master clock from the MCG is very simple asonly three candidate clocks are needed. The desired level offault-tolerance can be achieved by choosing the appropriate number ofsubstitute clocks. Moreover, the method is cost-effective because faultyclocks are not necessary to be removed from the system and those clocksthat have been recovered from faults can easily re-join the system.

The reader's attention is directed to all papers and documents which arefiled concurrently with or previous to this specification in connectionwith this application and which are open to public inspection with thisspecification, and the contents of all such papers and documents areincorporated herein by reference.

All of the features disclosed in this specification (including anyaccompanying claims, abstract and drawings), and/or all of the steps ofany method or process so disclosed, may be combined in any combination,except combinations where at least some of such features and/or stepsare mutually exclusive.

Each feature disclosed in this specification (including any accompanyingclaims, abstract and drawings), may be replaced by alternative featuresserving the same, equivalent or similar purpose, unless expressly statedotherwise. Thus, unless expressly stated otherwise, each featuredisclosed is one example only of a generic series of equivalent orsimilar features.

The invention is not restricted to the details of any foregoingembodiments. The invention extends to any novel one, or any novelcombination, of the features disclosed in this specification (includingany accompanying claims, abstract and drawings), or to any novel one, orany novel combination, of the steps of any method or process sodisclosed.

1. A clock synchronization method for a system including N clocks,comprising: classifying at least three and at most N−1 of the N clocksas master candidate clocks; selecting one of the master candidate clocksand classifying it as a master clock; synchronising each of the N clocksother than the master clock with the master clock; and for each mastercandidate clock, determining whether its clock synchronisation error isexcessive and, in response to an affirmative determination,declassifying that clock as a master candidate clock and classifying asa master candidate clock another of the N clocks that is not alreadyclassified as a master candidate clock.
 2. A method according to claim 1wherein selecting one of the master candidate clocks comprises: from oneof the master candidate clocks, broadcasting a master selectioninitiation message; from each of the other master candidate clocks,broadcasting a master selection response message including informationrepresenting the local time of receipt of the master selectioninitiation message according to the clock in question; and selecting oneof the master candidate clocks using the information representing thelocal times of receipt of the master selection initiation message.
 3. Amethod according to claim 1 wherein selecting one of the mastercandidate clocks comprises: from one of the master candidate clocks,broadcasting a master selection initiation message; from each of themaster candidate clocks, broadcasting a master selection responsemessage including information representing the local time of receipt ofthe master selection initiation message according to the clock inquestion; and selecting one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message.
 4. A method according to claim 2 whereinthe clock synchronisation error for each master candidate clock isdetermined using the information representing the local times of receiptof the master selection initiation message.
 5. A method according toclaim 2 wherein the master selection initiation message is broadcastfrom the fastest master candidate clock.
 6. A method according to claim5 wherein each master candidate clock is adapted to broadcast the masterselection initiation message at a given local time unless such a messagehas already been broadcast by another master candidate clock.
 7. Amethod according to claim 2 wherein selecting one of the mastercandidate clocks using the information representing the local times ofreceipt of the master selection initiation message comprises selectingthe median master candidate clock.
 8. A method according to, claim 1,further comprising: in response to the affirmative determination,classifying as a faulty clock the clock that is declassified as a mastercandidate clock and classifying as a master candidate clock another ofthe N clocks that is not already classified as a master candidate clockor a faulty clock.
 9. A method according to claim 1 wherein the questionwhether the clock synchronisation error for each master candidate clockis excessive is determined by the master clock.
 10. A method accordingto claim 9 wherein, following determination of that question, the masterclock broadcasts a classification message identifying which of the Nclocks are to be classified as master candidate clocks.
 11. A methodaccording to claim 1 wherein synchronising each of the N clocks otherthan the master clock with the master clock comprises: from the masterclock, broadcasting a synchronisation message including synchronisationinformation; and synchronising each of the N clocks other than themaster clock with the master clock using the synchronisationinformation.
 12. A method according to claim 10 wherein synchronisingeach of the N clocks other than the master clock with the master clockcomprises: from the master clock, broadcasting a synchronisation messageincluding synchronisation information representing the local time ofreceipt of the classification message according to the master clock; andsynchronising each of the N clocks other than the master clock with themaster clock using the synchronisation information and the local time ofreceipt of the classification message according to the clock inquestion.
 13. A clock synchronization method for a system including Nclocks, comprising: classifying at least three and at most N−1 of the Nclocks as master candidate clocks; from one of the master candidateclocks, broadcasting a master selection initiation message; from each ofthe other master candidate clocks, broadcasting a master selectionresponse message including information representing the local time ofreceipt of the master selection initiation message according to theclock in question; selecting one of the master candidate clocks usingthe information representing the local times of receipt of the masterselection initiation message and classifying it as a master clock; andsynchronising each of the N clocks other than the master clock with themaster clock.
 14. A clock synchronization method for a system includingN clocks, comprising: classifying at least three and at most N−1 of theN clocks as master candidate clocks; from one of the master candidateclocks, broadcasting a master selection initiation message; from each ofthe master candidate clocks, broadcasting a master selection responsemessage including information representing the local time of receipt ofthe master selection initiation message according to the clock inquestion; selecting one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message and classifying it as a master clock; andsynchronising each of the N clocks other than the master clock with themaster clock.
 15. A method according to claim 13 wherein the masterselection initiation message is broadcast from the fastest mastercandidate clock.
 16. A method according to claim 15 wherein each mastercandidate clock is adapted to broadcast the master selection initiationmessage at a given local time unless such a message has already beenbroadcast by another master candidate clock.
 17. A method according toclaim 13 wherein selecting one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message comprises selecting the median mastercandidate clock.
 18. A method according to claim 1 wherein the systemfurther includes M slave clocks, the method further comprisingsynchronising each of the M slave clocks with the master clock.
 19. Amethod according to claim 18 wherein the synchronising of each of the Mslave clocks and the synchronising of each of the N clocks other thanthe master clock are accomplished in common.
 20. A clock for use in asystem including N clocks, of which one is classified as a master clockand at least three and at most N−1, including the master clock, areclassified as master candidate clocks, the clock comprising a controlleradapted to operate as follows: to record whether the clock is classifiedas a master clock or a master candidate clock; if the clock isclassified as a master clock, to determine, for each master candidateclock, whether its clock synchronisation error is excessive and, inresponse to an affirmative determination, to broadcast a classificationmessage declassifying that clock as a master candidate clock andclassifying as a master candidate clock another of the N clocks that isnot already classified as a master candidate clock; and if the clock isnot classified as a master clock, to receive such a classificationmessage broadcast from a master clock and, if that message classifies ordeclassifies it as a master candidate clock, to record that fact.
 21. Aclock according to claim 20 wherein the controller is further adapted tooperate as follows: if the clock is classified as a master clock, tobroadcast a synchronisation message including synchronisationinformation; and if the clock is not classified as a master clock, toreceive such a synchronisation message broadcast from a master clock andto synchronise itself with the master clock using the synchronisationinformation.
 22. A clock according to claim 20 wherein the controller isfurther adapted to operate as follows: if the clock is classified as amaster candidate clock, to broadcast a master selection initiationmessage at a given local time unless such a master selection initiationmessage has already been broadcast by another master candidate clock; ifthe clock is classified as a master candidate clock and such a masterselection initiation message is broadcast by another master candidateclock before the given local time, to receive the master selectioninitiation message and to broadcast a master selection response messageincluding information representing the local time of receipt of themaster selection initiation message; if the clock is classified as amaster candidate clock, to select one of the master candidate clocksusing the information representing the local times of receipt of themaster selection initiation message and, if in so doing it selectsitself, to record the fact that it is classified as a master clock. 23.A clock according to claim 20 wherein the controller is further adaptedto operate as follows: if the clock is classified as a master candidateclock, to broadcast a master selection initiation message at a givenlocal time unless such a master selection initiation message has alreadybeen broadcast by another master candidate clock; if the clock isclassified as a master candidate clock and such a master selectioninitiation message has been broadcast, to broadcast a master selectionresponse message including information representing the local time ofreceipt of the master selection initiation message; if the clock isclassified as a master candidate clock, to select one of the mastercandidate clocks using the information representing the local times ofreceipt of the master selection initiation message and, if in so doingit selects itself, to record the fact that it is classified as a masterclock.
 24. A clock according to claim 22 wherein the controller isadapted to determine the clock synchronisation error for each mastercandidate clock using the information representing the local times ofreceipt of the master selection initiation message.
 25. A clockaccording to claim 21 wherein the controller is so adapted that themaster candidate clock selected using the information representing thelocal times of receipt of the master selection initiation message is themedian master candidate clock.
 26. A clock according to claim 20 whereinthe controller is further adapted to operate as follows: to recordwhether the clock is classified as a faulty clock; if the clock isclassified as a master clock, in response to an affirmativedetermination of the question whether the clock synchronisation error ofa master candidate clock is excessive, to broadcast a classificationmessage classifying that clock as a faulty clock and classifying as amaster candidate clock another of the N clocks that is not alreadyclassified as a master candidate clock or a faulty clock; and if theclock is not classified as a master clock and such a classificationmessage broadcast from a master clock classifies it as a faulty clock,to record that fact.
 27. A clock according to claim 20 wherein thecontroller is adapted to operate as follows: if the clock is classifiedas a master clock, following the determination of the question whetherthe clock synchronisation error of each master candidate clock isexcessive, to broadcast a classification message identifying which ofthe N clocks are to be classified as master candidate clocks.
 28. Aclock according to claim 27 wherein the controller is further adapted tooperate as follows: if the clock is classified as a master clock, tobroadcast a synchronisation message including synchronisationinformation representing the local time of receipt of the classificationmessage according to the master clock; and if the clock is notclassified as a master clock, to receive such a synchronisation messagebroadcast from a master clock and to synchronise itself with the masterclock using the synchronisation information and the local time ofreceipt of the classification message according to the clock inquestion.
 29. A clock for use in a system including N clocks, of whichone is classified as a master clock and at least three and at most N−1,including the master clock, are classified as master candidate clocks,the clock comprising a controller adapted to operate as follows: torecord whether the clock is classified as a master clock or a mastercandidate clock; if the clock is classified as a master candidate clock,to broadcast a master selection initiation message at a given local timeunless such a master selection initiation message has already beenbroadcast by another master candidate clock; if the clock is classifiedas a master candidate clock and such a master selection initiationmessage is broadcast by another master candidate clock before the givenlocal time, to receive the master selection initiation message and tobroadcast a master selection response message including informationrepresenting the local time of receipt of the master selectioninitiation message; if the clock is classified as a master candidateclock, to select one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message and, if in so doing it selects itself, torecord the fact that it is classified as a master clock; if the clock isclassified as a master clock, to broadcast a synchronisation messageincluding synchronisation information; and if the clock is notclassified as a master clock, to receive such a synchronisation messagebroadcast from a master clock and to synchronise itself with the masterclock using the synchronisation information.
 30. A clock for use in asystem including N clocks, of which one is classified as a master clockand at least three and at most N−1, including the master clock, areclassified as master candidate clocks, the clock comprising a controlleradapted to operate as follows: to record whether the clock is classifiedas a master clock or a master candidate clock; if the clock isclassified as a master candidate clock, to broadcast a master selectioninitiation message at a given local time unless such a master selectioninitiation message has already been broadcast by another mastercandidate clock; if the clock is classified as a master candidate clockand such a master selection initiation message has been broadcast, tobroadcast a master selection response message including informationrepresenting the local time of receipt of the master selectioninitiation message; if the clock is classified as a master candidateclock, to select one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message and, if in so doing it selects itself, torecord the fact that it is classified as a master clock; if the clock isclassified as a master clock, to broadcast a synchronisation messageincluding synchronisation information; and if the clock is notclassified as a master clock, to receive such a synchronisation messagebroadcast from a master clock and to synchronise itself with the masterclock using the synchronisation information.
 31. A clock according toclaim 29 wherein the controller is adapted to determine the clocksynchronisation error for each master candidate clock using theinformation representing the local times of receipt of the masterselection initiation message.
 32. A clock according to claim 29 whereinthe controller is so adapted that the master candidate clock selectedusing the information representing the local times of receipt of themaster selection initiation message is the median master candidateclock.
 33. A software product for a clock comprised in a systemincluding N clocks, of which one is classified as a master clock and atleast three and at most N−1, including the master clock, are classifiedas master candidate clocks, the software product comprising softwarecode adapted to cause the clock to operate as follows: to record whetherthe clock is classified as a master clock or a master candidate clock;if the clock is classified as a master clock, to determine, for eachmaster candidate clock, whether its clock synchronisation error isexcessive and, in response to an affirmative determination, to broadcasta classification message declassifying that clock as a master candidateclock and classifying as a master candidate clock another of the Nclocks that is not already classified as a master candidate clock; andif the clock is not classified as a master clock, to receive such aclassification message broadcast from a master clock and, if thatmessage classifies or declassifies it as a master candidate clock, torecord that fact.
 34. A software product according to claim 33 whereinthe software code is further adapted to cause the clock to operate asfollows: if the clock is classified as a master clock, to broadcast asynchronisation message including synchronisation information; and ifthe clock is not classified as a master clock, to receive such asynchronisation message broadcast from a master clock and to synchroniseitself with the master clock using the synchronisation information. 35.A software product according to claim 33 wherein the software code isfurther adapted to cause the clock to operate as follows: if the clockis classified as a master candidate clock, to broadcast a masterselection initiation message at a given local time unless such a masterselection initiation message has already been broadcast by anothermaster candidate clock; if the clock is classified as a master candidateclock and such a master selection initiation message is broadcast byanother master candidate clock before the given local time, to receivethe master selection initiation message and to broadcast a masterselection response message including information representing the localtime of receipt of the master selection initiation message; if the clockis classified as a master candidate clock, to select one of the mastercandidate clocks using the information representing the local times ofreceipt of the master selection initiation message and, if in so doingit selects itself, to record the fact that it is classified as a masterclock.
 36. A software product according to claim 33 wherein the softwarecode is further adapted to cause the clock to operate as follows: if theclock is classified as a master candidate clock, to broadcast a masterselection initiation message at a given local time unless such a masterselection initiation message has already been broadcast by anothermaster candidate clock; if the clock is classified as a master candidateclock and such a master selection initiation message has been broadcast,to broadcast a master selection response message including informationrepresenting the local time of receipt of the master selectioninitiation message; if the clock is classified as a master candidateclock, to select one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message and, if in so doing it selects itself, torecord the fact that it is classified as a master clock.
 37. A softwareproduct according claim 35 wherein the software code is adapted to causethe clock to determine the clock synchronisation error for each mastercandidate clock using the information representing the local times ofreceipt of the master selection initiation message.
 38. A softwareproduct according to claim 34 wherein the software code is so adaptedthat the master candidate clock selected using the informationrepresenting the local times of receipt of the master selectioninitiation message is the median master candidate clock.
 39. A softwareproduct according to claim 33 wherein the software code is furtheradapted to cause the clock to operate as follows: to record whether theclock is classified as a faulty clock; if the clock is classified as amaster clock, in response to an affirmative determination of thequestion whether the clock synchronisation error of a master candidateclock is excessive, to broadcast a classification message classifyingthat clock as a faulty clock and classifying as a master candidate clockanother of the N clocks that is not already classified as a mastercandidate clock or a faulty clock; and if the clock is not classified asa master clock and such a classification message broadcast from a masterclock classifies it as a faulty clock, to record that fact.
 40. Asoftware product according to claim 33 wherein the software code isfurther adapted to cause the clock to operate as follows: if the clockis classified as a master clock, following the determination of thequestion whether the clock synchronisation error of each mastercandidate clock is excessive, to broadcast a classification messageidentifying which of the N clocks are to be classified as mastercandidate clocks.
 41. A software product according to claim 40 in whichwherein the software code is further adapted to cause the clock tooperate as follows: if the clock is classified as a master clock, tobroadcast a synchronisation message including synchronisationinformation representing the local time of receipt of the classificationmessage according to the master clock; and if the clock is notclassified as a master clock, to receive such a synchronisation messagebroadcast from a master clock and to synchronise itself with the masterclock using the synchronisation information and the local time ofreceipt of the classification message according to the clock inquestion.
 42. A software product for a clock comprised in a systemincluding N clocks, of which one is classified as a master clock and atleast three and at most N−1, including the master clock, are classifiedas master candidate clocks, the software product comprising softwarecode adapted to cause the clock to operate as follows: to record whetherthe clock is classified as a master clock or a master candidate clock;if the clock is classified as a master candidate clock, to broadcast amaster selection initiation message at a given local time unless such amaster selection initiation message has already been broadcast byanother master candidate clock; if the clock is classified as a mastercandidate clock and such a master selection initiation message isbroadcast by another master candidate clock before the given local time,to receive the master selection initiation message and to broadcast amaster selection response message including information representing thelocal time of receipt of the master selection initiation message; if theclock is classified as a master candidate clock, to select one of themaster candidate clocks using the information representing the localtimes of receipt of the master selection initiation message and, if inso doing it selects itself, to record the fact that it is classified asa master clock; if the clock is classified as a master clock, tobroadcast a synchronisation message including synchronisationinformation; and if the clock is not classified as a master clock, toreceive such a synchronisation message broadcast from a master clock andto synchronise itself with the master clock using the synchronisationinformation.
 43. A software product for a clock comprised in a systemincluding N clocks, of which one is classified as a master clock and atleast three and at most N−1, including the master clock, are classifiedas master candidate clocks, the software product comprising softwarecode adapted to cause the clock to operate as follows: to record whetherthe clock is classified as a master clock or a master candidate clock;if the clock is classified as a master candidate clock, to broadcast amaster selection initiation message at a given local time unless such amaster selection initiation message has already been broadcast byanother master candidate clock; if the clock is classified as a mastercandidate clock and such a master selection initiation message has beenbroadcast, to broadcast a master selection response message includinginformation representing the local time of receipt of the masterselection initiation message; if the clock is classified as a mastercandidate clock, to select one of the master candidate clocks using theinformation representing the local times of receipt of the masterselection initiation message and, if in so doing it selects itself, torecord the fact that it is classified as a master clock; if the clock isclassified as a master clock, to broadcast a synchronisation messageincluding synchronisation information; and if the clock is notclassified as a master clock, to receive such a synchronisation messagebroadcast from a master clock and to synchronise itself with the masterclock using the synchronisation information.
 44. A software productaccording to claim 42 wherein the software code is adapted to cause theclock to determine the clock synchronisation error for each mastercandidate clock using the information representing the local times ofreceipt of the master selection initiation message.
 45. A softwareproduct according to claim 42 wherein the software code is so adaptedthat the master candidate clock selected using the informationrepresenting the local times of receipt of the master selectioninitiation message is the median master candidate clock.
 46. (Canceled)47. (Canceled)
 48. (Canceled)